Arranging groups of services

Arranging groups of services

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2064 bytes --]

I'm working on Spectrum OS (https://spectrum-os.org/) and am
currently porting it from s6 (https://skarnet.org/software/s6-linux-init/)
to systemd.

Spectrum OS's host (which is what is being ported) is rather
different from a normal system:

- The root filesystem is completely read-only.  There's no writable /var.
  I decided to put a tmpfs there for now.
- There is no network access, so /etc/resolv.conf isn't needed.
- The real work happens in VMs, each of which depends on a few services:
  - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM.
  - crosvm (https://crosvm.dev/book/) used for graphics.
  - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem
  - Spectrum OS's own proxy for the XDG desktop portals
  - In the future, an instance of vhost-device-sound
    (https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/README.md)
    used for sound
  - A per-VM D-Bus daemon
  - An instance of xdg-desktop-portal

If the Cloud Hypervisor instance is stopped or exits, the others
should be stopped automatically, as they have no other use.
Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
should handle most cases, but I don't know if that is sufficient
if Cloud Hypervisor exits spontaneously (because the guest shut down)
or crashes.

Additionally, these services have different sandboxing needs.
Cloud Hypervisor should only be able to connect to its own instance
of the daemons that serve it, rather than to any instance.
crosvm needs GPU and Wayland access and vhost-device-sound needs
to connect to PipeWire.  virtiofsd needs an id-mapped mount.
I would also like to block abstract AF_UNIX socket access.

Are there existing systemd features that can easily meet these
needs?  For the sockets I am thinking of placing them in
RuntimeDirectory= and only giving the correct units access to
those directories.  Also, I would like to use `DynamicUser=`
for everything where that is possible.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [systemd-devel] Arranging groups of services

[Michal Koutný]

[-- Attachment #1: Type: text/plain, Size: 1140 bytes --]

Hello.

On Sat, Aug 16, 2025 at 07:11:32PM -0400, Demi Marie Obenour <demiobenour@gmail.com> wrote:
> If the Cloud Hypervisor instance is stopped or exits, the others
> should be stopped automatically, as they have no other use.
> Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
> should handle most cases, but I don't know if that is sufficient
> if Cloud Hypervisor exits spontaneously (because the guest shut down)
> or crashes.

Maybe
vm.service
Wants=crosvm.service ... xdf-desktop-portal.service

and each of the supporive services would have
StopWhenUnneeded=true


> Additionally, these services have different sandboxing needs.
> Cloud Hypervisor should only be able to connect to its own instance
> of the daemons that serve it, rather than to any instance.
> crosvm needs GPU and Wayland access and vhost-device-sound needs
> to connect to PipeWire.  virtiofsd needs an id-mapped mount.
> I would also like to block abstract AF_UNIX socket access.


> Are there existing systemd features that can easily meet these
> needs?

See JoinsNamespaceOf= (systemd.unit(5)) whether it'd cover your usage.

HTH,
Michal

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

Re: [systemd-devel] Arranging groups of services

[Lennart Poettering]

On Sa, 16.08.25 19:11, Demi Marie Obenour (demiobenour@gmail.com) wrote:

> I'm working on Spectrum OS (https://spectrum-os.org/) and am
> currently porting it from s6 (https://skarnet.org/software/s6-linux-init/)
> to systemd.
>
> Spectrum OS's host (which is what is being ported) is rather
> different from a normal system:
>
> - The root filesystem is completely read-only.  There's no writable /var.
>   I decided to put a tmpfs there for now.

As per https://systemd.io/SYSTEMD_FILE_HIERARCHY_REQUIREMENTS we
document that /var/ should be writable by the time local-fs.target is
reached. Putting a tmpfs there is fine, for systems that should not be
persistency.

If you leave /var/ read-only after local-fs.target then you are on
your own.

> - There is no network access, so /etc/resolv.conf isn't needed.
> - The real work happens in VMs, each of which depends on a few services:
>   - Cloud Hypervisor (https://www.cloudhypervisor.org) which runs the VM.
>   - crosvm (https://crosvm.dev/book/) used for graphics.
>   - virtiofsd (https://virtio-fs.gitlab.io) to provide a filesystem
>   - Spectrum OS's own proxy for the XDG desktop portals
>   - In the future, an instance of vhost-device-sound
>     (https://github.com/rust-vmm/vhost-device/blob/main/vhost-device-sound/README.md)
>     used for sound
>   - A per-VM D-Bus daemon
>   - An instance of xdg-desktop-portal
>
> If the Cloud Hypervisor instance is stopped or exits, the others
> should be stopped automatically, as they have no other use.
> Having BindsTo=, After=, PropagatesStopTo=, and PropagatesReloadTo=
> should handle most cases, but I don't know if that is sufficient
> if Cloud Hypervisor exits spontaneously (because the guest shut down)
> or crashes.

Usually PartOf= is what is used for this, to bind the services's
lifetime to some target.

> Additionally, these services have different sandboxing needs.
> Cloud Hypervisor should only be able to connect to its own instance
> of the daemons that serve it, rather than to any instance.

connect how? AF_UNIX?

> crosvm needs GPU and Wayland access and vhost-device-sound needs
> to connect to PipeWire.  virtiofsd needs an id-mapped mount.
> I would also like to block abstract AF_UNIX socket access.

PrivateNetwork= disconnects the abstract AF_UNIX socket namespace
too. (But not AF_UNIX in the fs!)

> Are there existing systemd features that can easily meet these
> needs?  For the sockets I am thinking of placing them in
> RuntimeDirectory= and only giving the correct units access to
> those directories.  Also, I would like to use `DynamicUser=`
> for everything where that is possible.

For the sockets you could put them in some special dir somewhere
then bind mount them via BindReadOnlyPaths=...

Lennart

--
Lennart Poettering, Berlin